On Thu, 19 May 2011 12:22:44 +0200, Robert O'Callahan
<rob...@ocallahan.org> wrote:
On Thu, May 19, 2011 at 9:34 PM, Philip Jägenstedt
<phil...@opera.com>wrote:
Regarding user prompts, I am tentatively in favor of the approach that
Jer
appears to be arguing for, which is to never prompt the user but rather
simply require direct user interaction in order to go to fullscreen
The rest sounds reasonable, but I doubt "requiring direct user
interaction"
(by which I assume you mean requiring the user to click somewhere
(anywhere)
in the page) provides any meaningful security benefit. I certainly think
I'd
have a hard time convincing our security people of that!
That would not be the only line of defense and is as much an
anti-annoyance feature like pop-up blocking as it is part of making it
abundantly clear to the user what page has gone into fullscreen and why.
This is certainly *relevant* to security, although not the only component.
Are there security issues with this setup?
* fullscreen can only be requested by direct user interaction
* fullscreen is entered with an animation
* after entering fullscreen (for the first time on a site, or whatever
rules the UA imposes), it's impossible to interact with the page until the
user acknowledges that they want to stay in fullscreen, with the page
dimmed in the background.
The last point could be replaced by whatever the UA thinks is enough to be
sure that the user realizes what has happened, prompting wouldn't be
mandatory.
--
Philip Jägenstedt
Core Developer
Opera Software
